Automated Security Test Orchestration with Golismero

I was recently asked to speak at a large industry event on automated security testing so decided to focus on orchestrating multiple tools. This is an area of interest of mine where multiple tests work together to validate their results. For example, what if after your dynamic web scanner completed all of the unconfirmed SQL injection results were automatically passed to SQLMap and then SQLMap attempted to exploit them, automatically moving any exploited inputs to a “confirmed” state and removing any unexploitable findings?

Because typically the most expensive part of an automated security test program is the cost of vetting the results (think expensive security analysts reviewing reports for false positives) there is significant cost savings potential in test orchestration. It also would encourage groups to venture beyond their one or two core tools.

There is an open source tool called Golismero that is attempting to do this. The tool is still fairly immature but shows promise. The way it works is really remarkable- the end user enters a fairly simple command line statement and Golismero then manages the execution and reporting of 23 automated security tools:

This simple command launched the 23 different tools and created a report with 181 findings. You can view the report here if you are interested. To read more about Golismero reporting see the reporting page.

Golismero is a tool that is a trend setter. However, it still has a ways to go. Besides the bugs that can be expected in any project like this, the big limitation in Golismero that I see right now is the lack of a high end web scanner. Theoretically, any scanner with an API can be integrated using Golismero’s plug-in framework.

Golismero can run on most flavors on Linux and can also be run on Windows with some effort and limitations.

A major shout-out to the Golismero development team for their strategic vision and hard work: